[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sane ppolicy choices

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: sane ppolicy choices
From: Igor Shmukler <igor.shmukler@gmail.com>
Date: Thu, 5 Mar 2015 11:50:37 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=YK7nMVl6I7NPApRWX+VteTUdMj9eyuf33ixfOKuCTuQ=; b=CjRzwpk9iEUR/44HcpfwN9Bqys0xeDEvPgtlqYlHPTMR8Zcb4Yq6z2tdlbAxx2a2jL qs494msyoZaS0SDFlv7gf8DIHSXtpMYCxJSdfpLa/dFHe5AIQBE1UQuaV4Es2cQhg7K4 ipx9MoqBInxV4JEOPNQETrRwjsuxxjrA3wosFQvblsIG+EZpmDyH/shQm1t36dc+sPNL Zp3EHFEUVPA/NqUq9ga42SPOz2olzw2laJ05tAgWMlXQDFik4slNBBcoT5cWGh5uZCPz VSLbRT733zto8m2y4C2Nm/gYW8hZoiCd72nUpzYJLYhF49xqJwmMpeurgQkKTBkKp9lU RUmg==
In-reply-to: <CAA1SNA01sUuFMEW_83mSoxWgUSXZZUM8iAuFifRyefzxSb5Ynw@mail.gmail.com>
References: <CAA1SNA01sUuFMEW_83mSoxWgUSXZZUM8iAuFifRyefzxSb5Ynw@mail.gmail.com>

I also see that setting pwdLockout to TRUE and pwdLockoutDuration to 0
disables logins until enabled by an administrator. This works for my
needs. However, I don't see how to enable pwdLockout when some time
lapses or on specific date. Hence, I would probably need a cron job to
disable accounts.
Please share your insights!

On Thu, Mar 5, 2015 at 11:35 AM, Igor Shmukler <igor.shmukler@gmail.com> wrote:
> Hello,
>
> I am trying to implement a trial [period] for new customers, using the
> OpenLDAP password policy overlay.
>
> I was thinking about setting a combination of pwdMaxAge, pwdMustChange
> and pwdAllowUserChange.
>
> Basically, the best idea I have had is to set MaxAge to the length of
> trial [in seconds] then in a user changes the password while in trial
> mode, calculate MaxAge as (trial_length - time_passed), then at the
> end setting MustChange to true and AllowUserChange to false [until the
> trial has been converted].
>
> Is that a sane policy? Should I be doing something totally different?
> Please advise.
>
> Sincerely,
>
> Igor Shmukler

References:
- sane ppolicy choices
  - From: Igor Shmukler <igor.shmukler@gmail.com>

Prev by Date: sane ppolicy choices
Next by Date: Re: sane ppolicy choices
Index(es):
- Chronological
- Thread